Good morning, everybody. I'm Nick. This is Josh. I'm going to do a few introductions
and then we'll jump right into the content here. So I'm Nick Percoco. I have always been
and I currently am a hacker. Yay! Let's try that again. In my day life, day job, I actually
run a small team called Spider Labs at Trustwave. And some of the background, I've done a lot
of speaking. It's my eighth time speaking here at DEF CON and I spoke on stage at TED.
I've also keynoted RSA this past year. And here's Josh.
JOSH CORMANN, I'm Josh Corman in my day job. I'm director of security intelligence
for Akamai.
My comments today are my own. They may not reflect those of my employers. I've kind of
been wrestling with being a philosopher in a hacker community. But I think I've come
to own it. And I think my research has trended from things like espionage or malware to things
that affect our personal lives and human rights and public safety. And that's really taken
me down a path for today's topic.
JOSH CORMANN, So a little about where we came from and where
we're going. This talk is actually not a presentation. This is a discussion. This is
a discussion between me and Josh here on stage and a discussion with all of you. This is
not a finished presentation. So if you're expecting at the end of this to have us to
solve the world's problems here, that's not the intent. This is the start of a conversation.
And we also have right there in sort of mid‑audience there, we have a microphone. It's there for
you to use.
If you have a question, you have a comment, you want something to add to the conversation,
please use it. But also note that we have a finite number of time here on stage, 45 minutes
to be exact. And so please, if you can't fit your comments and questions in 140 characters,
please save it for the Q&A session. And we will have a Q&A. There's no Q&A room. But
afterwards, please join us in the Chill Out Lounge to continue the discussion.
JOSH CORMANN, You know, part of the impetus for this is that how many of you have
been to ‑‑
DEF CON before? Okay. A lot of new people here this year. I don't know if you noticed.
Both encouraging and overwhelming. But a lot of us got into hacking because it was our
hobby, right? And when we weren't paying attention, how many of you noticed it kind
of accidentally became our profession, right? It's kind of messed up. But actually we weren't
paying attention again. Now IT security, which was our hobby and then our job, is now
permeating every aspect of our personal lives and our personal safety and our kids. Our ‑‑
I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry.
I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry. I'm sorry.
We're putting software in places it does not belong and is not merited. We have medical
devices that are completely with no encryption whatsoever on their Bluetooth stacks that
are unnecessary. As I tried to buy a car, I couldn't find one without a hackable operating
system. If you go to show Dan, you can find default usernames and passwords for control
systems, for power grids, for hydroelectric dams. This isn't FUD. This is real. And as
we depend on software in places, it needs to be dependable.
And in the presence of attackers, it needs to be defensible. And I guess every time
I want to quit security, I realize that our failures are going to be inherited by me,
my body, my mind, my soul, and my family. So don't think today is how do you get better
at your day job. Think about how do you actually hack your personal life and your personal
freedoms and that should be the scope of today.
So a couple of weeks ago, I decided to do a juice cleanse. Has anybody ever done one
of those before? A couple of people. Yeah. So you spend three days drinking six bottles
of juice and nothing else. And besides having interesting bowel activity, it also gave
me very vivid dreams when I would sleep. And so at night, I would go to bed at night
and I would wake up in the morning with these sort of memories, these odd memories. You
know when you wake up in the morning or you wake up from a dream and you're sort of disoriented
and you think, oh, that was real. That was almost a real experience within a dream. Well,
I had a few of those.
A couple of weeks ago. The first dream that I jotted down that I took notes about, I was
on a bus. The whole dream just sort of took place on a bus. I didn't know really where
we were going. I was a little bit confused. But I saw people I recognized. I saw people
sitting with paperwork in front of them, with computers in front of them. And I started
to ask questions. Where are we? Where are we going? And I soon realized that we were
all going to apply for federally issued software development licenses.
So I started to ask questions. Where are we? Where are we going? And I soon realized
that each of us, and somebody actually showed me they had one that was expired. They needed
to renew their license or they could not even write a bit of code. So I thought that was
pretty interesting to sort of have that dream. One of the other dreams I had that I took
notes about, I was actually in a hotel. I travel quite often. I actually travel all
over the world almost constantly. And in the morning when you walk out of your hotel and
the USA Today paper is sitting there on the floor and you see the headlines, sort of how
you get woken up in the morning. I remember looking at the paper and I was like, oh, I'm
looking, glancing down at that paper as I was off to a meeting and saw on the headlines
and it said Florida man, it said Florida man arrested for hacking tools, possession of
hacking tools. And I remember flipping open the paper, reading page seven about what that
story was about and it showed a logo of Metasploit and it mentioned Nmap and mentioned Nessus
and other, other tools on there that people might have in their possession. And I was
like, wow, that's interesting. And then another dream that I had and I started soon
realizing that these weren't necessarily dreams. They were vivid. But they were actually nightmares.
And this third dream, I was walking down the street in Chicago, sort of dusk, sun is
going down, turned down an alley and walked up to a door. I rang the bell and I remember
being able to see there was a camera shining on me. I rang the bell and they buzzed me
in. I went up, walked up three flights of stairs, walked up.
Went to a Chicago apartment and there was guys and girls milling about, having discussions.
Over on one side of the room there was a MakerBot. Other side of the room there was a cluster
of monitors. Another area there was some electronics laying about and, of course, a lot of cables
all over the floor. Somebody I recognized actually handed me a beer and said, hey, welcome.
The discussion is going to start in a little while. So I sort of took my seat and started
saying hi to people. And then all of a sudden the lights went out. Electricity went out.
All the power went out in this apartment.
And one of the initial reactions, I remember someone in the background saying, oh, fucking
com ed. The power went out again. But then we started heard banging on the front door
and then banging on the back door. And men came into the room wearing black shirts, black
pants, black boots and they started to say we were under arrest for the violation of
some act. And I can't really recall what that act was.
And they lined us up against the wall and then one by one started to zip tie us. Our
in our legs and carry us down the stairs. Now, this was a nightmare that I had. Obviously,
it's not real. But it's very much grounded in reality and the things that we experience
today. If you extend what is going on today, five, ten years from now, I can see a time
when someplace like DEF CON can't exist. But we don't have to. There's a better way. I
think for writing tools. We're being criminalized for research, but we don't have to.
Uh oh. So when Nick told me his dreams, I had two thoughts. First, I'm never doing
a juice cleanse. And I said, you know, this isn't FUD. Let's get real. These are actual
precedents. Whether you love or hate Weave, Weave's case is very dangerous precedent for
the criminalization.
This community does and lives and thrives on our ability to pervasively do security
research. If you saw the aggressive prosecution of the late Aaron Schwartz and all the Aaron's
Law discussions coming from this, do you know there's a state law in Texas that makes it
technically illegal to do a port scan? And for my international friends, Germany and
France have already specifically outlined certain hacker tools that are really just
assessment and NMAP-y type things. And I actually learned last night that Brazil, after
some actress had some nudie photos revealed, they passed under duress a law that basically
makes it criminalized to have things like NMAP or any port scanning tools at all. So
this isn't FUD or fear. This is things that are actually happening. And it's up to us,
in lieu of any adults in the room, to be the adults. Now, that should terrify you,
right?
Um, but it dawned on me over the last couple of years that this is not going to happen.
You know, I was researching anonymous here two years ago at DEF CON. And one of the things
I was concerned about is some sort of neo McCarthyism when you had a lot of aggressive,
high profile acts and demonstration of hacking will. Whether you like them or not, it captured
hearts and minds and it scared policy makers. And when powerful people are uninformed, they
make powerfully uninformed knee jerks. And I ‑‑ you know, he started off in his
intro saying he is now and always was a hacker. I fear the need to say I am not now nor have
I ever been before. I'm not a hacker. I'm not a hacker. I'm not a hacker. I'm not a hacker.
I've never been a hacker in our near future. And if you're not worried about it, you really,
really should be. Because policy makers aren't as technically literate as this community
is. And that's really the thrust of this talk is that I think a lot of us, even our
best and brightest researchers, even our A listers, so to speak, every time I ask them
why they aren't more concerned, they're like, someone is going to come fix it. Let me tell
you something. No one is coming. The people who are going to fix it are to the left of
you, to the right of you, or in your own chair.
And that was really the big flip for me. So another part of this is that, you know,
for personal reasons, I basically hit rock bottom in January. I lost my mom at 58. Had
a pretty tough year last year. It really throws into context what's important to you and how
much time you have. And I felt like I was diminished, that I couldn't really contribute.
And what I realized is, you know, people don't really make changes until they hit rock
bottom. Right? If you want to be a science person, no one changes until the pain of
maintaining inertia exceeds the pain of making change.
Well, it hurts pretty bad right now. It sucks. There's a general malaise here. Yes, we've
had a great week at DEF CON, but there were more talks about burnout and suicide and depression.
And there were also a lot of talks that had absolutely nothing to do with security. Because
there's an implicit defeatism.
And we don't have to accept that defeat. So there's actually a value in hitting rock
bottom. And that value says when no one is coming to save us, it falls to us. And if
you don't see good things happening, we can put good things in.
So at my mom's funeral, I said, you know, the absence of heat ‑‑ you know, cold
is the absence of heat. Darkness is the absence of light. And maybe it's not that there's
evil in the world.
But maybe there's an absence of good. And I realized that each one of us can finally
take matters in our own hands and put in that leadership that's sorely lacking.
Nature abhors a vacuum. And I can hear the sucking sound. And it's time to fill that
vacuum.
Now what that means is no matter how much we hate certain things, the alternative is
worse. So we continue to fail, but we don't have to fail in the same way, right? So we're
actually suggesting some pretty radically uncomfortable experimentation. And we're going
to. I can't believe we're at DEF CON and we're actually going to suggest these things. But
we haven't really engaged in the formal process and how things work in the world. You know,
there's no senators or congressmen who are experts on stem cell research. They rely
on subject matter experts, think tanks, lobbies, et cetera. And as much as we hate these ideas,
we're going to ask you to both tolerate and participate in a series of very uncomfortable
and very unnatural acts. And this means we already have EFF. EFF has done fabulous things
for our community. We haven't really had a voice of interest for our profession and for
our talent and expertise. So now we're actually going to be suggesting and starting. We're
doing it with or without your help, but we'd love your help. A 501 think tank for professionalization
of research. Number two, a 501 lobby even though we think they're horribly corrupt and
corruptible.
It's finally time.
That we have access to the corridors of power. We're also going to professionalize.
We're going to do it very carefully so that we don't become the monsters we fight. But
just like the Bar Association for lawyers or the American Medical Association, giving
a voice to the priorities of this community that is public and can give commentary on
public policy and public events, that's credible, literate, and a voice of reason. And then
possibly most importantly, we need an integrated PR and media campaign to win hearts and minds.
We have some of the best social engineers on earth, but we've done a really, really
bad job setting the narrative. I love seeing Nick on the mainstream news or on TED stage,
but more often in the last few years we've seen Lagat. So once again, we can take that
microphone and bully pulpit and we can have the right spokespeople with the right messages
to actually represent our community interests. You have anything to add?
Talk about the chain of influence.
So whether we like it or not, what we do,
what we say, how we dress, how we — what we do in our everyday lives influence people.
The words that are coming out of my mouth right now on stage may be influencing you
in a positive way, may be influencing you in a negative way. You may take something
that Josh and I have said and talk to somebody else and that message will relay to them.
but that chain continues. Now, unfortunately, when we take someone from our community, someone
who's a hacker from our community, and put them in front of a policy maker or a senator
or a global government, this is not just a U.S. issue, this is a global issue, what they
see is not someone they trust and someone who's an expert, but they see a hacker. And
so while the research that that hacker is doing may be vital to our existence, it may
have life benefiting needs behind it. They still see a hacker. And so what we're doing
within this movement is trying to organize, better organize. You can have the breakers.
You can have the hackers. They're vitally important to our community. But then you also
need people who go and come up with the fixes. Now, the breakers may be the same people that
come up with the fixes, but they don't have to be. So if you're someone who out here
likes the break things, how many people like the break things in the room? OK. How many
people also like to fix things? Or like the fix things? You're part of this as well. It's
not just the people in this room. We also need people to continue that chain. We need
people from all different backgrounds, also people who represent the various industries.
So when we go follow that chain, and we put someone in front of policy makers or someone
who's on national television or international news. They may be someone who has one foot
in our community who's a legal wetヤ. Or they come from a RenovAst neste make east.
community and one foot in the industry that we're focusing on, whether it's the medical
community or the automotive industry or the transportation networks, whatever that may
be. So we've got to think like hackers, right?
So I want to recognize somebody who's done some outstanding work in the room. Jay Radcliffe,
a researcher, but he's also a client. So Jay hacked his insulin pump a couple years
back and has since done some hacking on several different medical devices. And one of the
frustrating things for me as I watched this, I looked at that and said that research matters.
It really matters. It affects public good. And maybe he did it because he didn't want
to die or get hacked at an airport. But a lot of the research we do is fun, but does
it really matter? Are we going to find the 700th piece of malware? Is that going to differentiate
you as a researcher?
When we throw these over the fence, does it work? So I really dug into this and I saw
that the work that Jay and others have done and also the huge loss of Barnaby Jack. Those
two were really doing some outstanding work and it's a huge loss. We were already planning
to include Barnaby in this and that's very, very ‑‑ I don't know. There's no words
for that. But when we look at that, they really have a hard time, right? It's hard to ‑‑ we
thought about the conflict. We thought about the conflict. We thought about the conflict.
We thought about the kill chain. Everyone know the Lockheed Martin kill chain for how
bad guys get stuff out of your network? We need a kill chain. And what I saw is it was
really tough for him to get and procure more devices to test. And he did a really good
job testing it and finding the vulnerability, but then he went to the vendor and it didn't
work, right? The vendor pushed back, you know, ridiculed, denied, defused. And I'm sure some
vendors are better than others. But we really had a really hard time getting that into affecting
some sort of change. And instead of us looking on activities like I found Oday or I published
a phone or I have some, you know, different presentation at some different conference,
we wanted to see how do you pull that through all the way through to a result.
So I went to this guy, Kevin Fu, who is a Ph.D. in industry, and he's been studying
a lot of these medical device laws. There's way more than you could possibly imagine.
And we're still not getting through. So I asked why. And it's the FDA is one of the
bottlenecks. They didn't have the ability to reject devices. And they're not actually
putting in new framing to allow for better granularity.
So an individual researcher can have a really hard time going through multiple gates and
multiple obstacles. And really what we want to do is we want to work with people in the
industry and map that chain of influence and then fuzz it and try and iterate and fail
fast and focus on we're not done until we actually see some sort of substantive change
in how we raise the bar and do care for putting elective attack surface on life‑saving technologies.
So that's just a deep example on one of these. But these are tractable. They look overwhelming.
And maybe it's not Jay who is going to be the one on CNN or maybe he's not going to
be the one who does the driver development to fix it. But we have the talent in the room
for every single step along the way.
So there might be some people, you know, even when Josh and I were first talking,
thinking, well, this is really hard. This is going to be very hard. This is not going
to be something that's going to be easy. But we often do very difficult things. And
there's dozens and dozens of talks here at DEF CON about very, very difficult things
that are being done in the technical world. So to put it in a little different perspective,
a little clip to show you. If you can dodge a wrench, you can dodge a ball. So if we can
hack something, X, fill in something, an iPhone, a SCADA system, if you can hack anything,
we can hack this. But we have to be organized. We have to work together. We have to put the
right people in the right roles to get this done. Like we mentioned earlier, you can't
put a hacker in front of a senator because they see a hacker. But we have to put the
right people. And we have people in this room that can fill all those roles. Every single
one of you has a role to play and can use their best skills, their best techniques to
help drive this home. Jailbreaking the system. It's incredibly difficult to find the jailbreak
and implement it and to weaponize something in order to perform a jailbreak.
Very, very complicated. We can do that with this system. And as Josh mentioned earlier,
some of our best social engineers are in this room or at this conference. Some of the best
social engineers in the entire world are in the hacking community. But that doesn't mean we need
to be dishonest and try to deceive people. But we use those skills. It's exactly the same skills
that the best CEOs on the planet have for selling their investors on something. We need those people
to play that role as well. So how do we do this?
I really like the fact that we're calling out that everybody does have a role. It's
not a platitude. We really mean it. Right when I said on Twitter that Jay was giving
a presentation at B-Sides, I said one of the biggest bottlenecks is getting devices.
And three people we've never heard of replied and said, oh, I know how to get them. You
have something you can do. And I was talking to a young guy from Portland, Maine yesterday
and he pointed out that one of his first jobs was doing device drivers at a local SCADA systems operating plant.
system shop. You don't even have to be a hacker. You can just write really, really solid security
aware code for one of those vendors. I couldn't find an O-Day to save my life, but I've been
very accepted by crossover into talking to government people. He did a TED talk. I was
in Vanity Fair. I can take the technical stuff we do here and I can actually make it mainstream
accessible and get in front of policymakers. There are actually six of us hacker types
at a U.N. meeting in Toronto this spring. Jeff Moss, me, Baitlick, Miko Opponen, some others.
And they were listening to us as the technical voice of reason. Now, the bad news is we didn't
get very organized, but you don't have to be a rock star, you know, A-list name to actually
contribute to the research that we're actually carrying to the outside world. Now, when I say
anybody can play a role, I'm also speaking to those pillars in our industry, our tribal chieftains,
because this is going to be really, really hard.
And in a leadership role, we're going to need ‑‑ our toughest battles require our
strongest warriors. So we really, really need not just a grassroots kind of like yeah,
yeah, rah, rah. We need people to take leadership roles as executive directors on some of these
different manifestations. Now, forget the term platform per se. This is a straw man,
but we think we've put a lot of thought to this and reiterated this. So for sake of beating
up ‑‑ in fact, we're going to be using this to take it to the meeting in eight weeks,
which we will discuss.
But we really see that there's three ways to secure our future. We have to keep a very
small list of priorities so we don't spread ourselves too thin. We can learn how to do
this on a few topics and then we can move out. But essentially, I think we need to focus
on public good and safety. And that's really why I wanted to call out Jay and Charlie Miller,
by the way, and Chris, did you see their amazing car hack? Now, whether they did it for altruistic
reasons or not doesn't matter. My neighbors were asking me about it. I got a flood of
e‑mails from people who don't ‑‑ I don't know if you've seen it, but I got a flood
of e‑mails from people who don't know anything about our industry saying I had absolutely
no idea how much of a car can be controlled via software.
So we have a few people doing research like this, but I would like to challenge us through
this program to say let's get a critical mass of lots of you. If you're going to pick
an Android malware, don't. Go pick a medical device. Go pick an auto OS. Go pick a control
system. Because if we can demonstrate that we are doing a unique public good for public
safety, guess what we can stave off?
We can actually carve off and demonstrate and earn the permission of the hearts and
minds that what we're doing is critically necessary and therefore requires that we can
stave off the criminalization of research. This is your first time speaking at DEF CON,
huh? No.
What? Are you lying? No.
This is your first time? No, it's not. I don't think we're going to get away with it anyhow.
Oh, good. Nice.
You've got it.
I was kind of shocked when you told me this. I was like, I think we've spoken here before.
But fuck you now.
We're getting trolled by PW crack.
Okay. But, you know, even if you don't care about the public good and public safety, you
just want to be a narcissistic vulnerability pimp, to avoid that criminalization, this is
how we're going to do it, right? So if you're going to pick something next year, pick something
that matters. Whether you're a father or a mother or, you know, an uncle or an aunt,
it doesn't really necessarily matter if you want to help public good. Be selfish. If you're
not going to do it, be a little bit selfish. If we do some things that are clearly valuable
that no one else can provide, and we do it in an intelligent way, we give the PR and
air cover for that, you know, we're going to demonstrate that this isn't something to
be criminalized. I don't know if you saw the Obama clip about Snowden, he's not going
to scramble jets for a 29‑year‑old hacker. We've got to take that back and demonstrate
that we can do this. The last bullet, and this wasn't really my anonymous research and
my research in the U.N. and ITU. We're going to take that back and demonstrate that we
can do this. I'm very, very worried that technology and civil liberties and human rights are not
compatible. We're seeing the battle and the entanglement between the two and civil liberties
and human rights are losing. They're losing big time. And part of it is because people
are evil. And part of it is because people like power. But another huge part of it is
they're just illiterate. You know, I had very powerful people in government say we
should empower the carriers to do deep packet inspection to stave off the erosion of intellectual
property to China.
And I spit out my drink. I'm like, you do realize the efficacy of signature antivirus
for state‑sponsored adversaries is zero. And essentially that's really bad math, right?
So I can't stop them from questioning should we trade civil liberties and fourth amendment
for safety, but I can tell them it won't actually grant them safety. So we need to do that for
ourselves because we live in the world, too. If you really squint, what we're basically
describing will resonate.
A little piece of that will resonate with almost everybody in the room, but more importantly
almost everybody in the mainstream because really what we're talking about is protecting
our bodies, our minds, and our souls.
So there's some next steps. So as we spoke about earlier, this isn't a ‑‑ we don't
have the answer for you. But we have some next steps that we want to discuss. So the
first of the next steps is naming the movement. We don't have a name. We have some stickers
up here that have some phrases on it. We don't have a name. We don't have a name. We don't have a name. We don't have a name. We don't have a name. We don't have a name. We don't have a name. We don't have a name.
You give it a name. We don't have a name. We don't have a name. We don't have a name. We don't have a name. We don't have a name.
system. We actually don't have to name the movement.
If you have ideas, please let us know. We're all ears.
There is also forming an executive and advisory board. Now, this is not going to just be people
from our community. We want to identify those people. We want to identify those people
that have one foot in our industry and another foot in another, because that's where we'll
get the more traction.
Also holding a constitutional Congress. A meeting of anybody that wants to participate.
Let's get these things on paper. Let's bring theips joy up on the ground. We can be 125 square miles. cornells with trash can oil.
brainstorm how we're going to organize.
And this isn't
hand-waving.
The guys at Derby have given us
a space. Eight weeks from now,
we will be holding the first Hacker Constitutional Congress
for interested parties at DerbyCon.
And for those that can't make it, we're going to look into some way
to remote people in.
But our tribal chieftains and
Coalition of the Willing and the folks that
actually want to make sure that we do this intelligently
and we have the right
platform and the right issues to promote,
we're going to do this right.
The other piece is to share the results.
This is not, we're not
forming a secret society here.
We want to share these results with people.
We want you to have feedback into
those results and understand what's
going on at all times. And so we do have a
Twitter account you can follow, but we're
working on ways to better communicate.
And a lot of that will be figured out at the Hacker
Constitutional Congress and what the protocols
will be using. And then of course,
executing projects. Building the think
tank.
To be able to take the medical research
and put it in front of
the right people that can change
the way they think about
what we're doing.
So if we,
we're not going to teach you to be experts on all the different
international and domestic
legal organizations, but what we
can do and hope to do is just flip that one bit.
If you thought someone was going to come
fix this for you, we want you to realize that
the cavalry isn't coming.
It's you.
Now, it's going to be difficult.
It's going to take time.
We're going to have struggles. We're also a fairly
cynical group, so we're going to
point out all the ways this won't work.
But it's time to start
failing fast and iterating.
And I'm willing to take the lumps and bruises.
I'm looking at this as a marathon and not
a sprint. And
if not now, then when?
And if it's not you, then who?
So,
yes, we have
stickers. Yes, we have Twitter
handles. But what we really need is you.
So I have a question for you. And I know
some of you are itching to get to the mic, but
how are you going to help make this real and who's
in?
Stand up.
Stand up if you're in.
The adults.
The microphone. Yes.
Hi there. Gary Reimer.
This is my first DEF CON.
And I've been coming here because I want to get
full blown into the security world.
And while I'm not
a security geek like a lot of the people
here, I can communicate
with anybody from a CEO to
a janitor. And if I can understand it, I can help
them understand it. And you had me sold
five minutes ago, which is why I wanted to be first
on the mic. I'm going to give you my cards.
I want to get your cards. I want
to be part of this. I don't know how I can
contribute, but darn, I want to.
Yes. I just want to say
the Fourth Amendment is already the middle
ground between the government can
do anything it wants and
the government can't do anything at all.
We wrote a specific set of rules that
they have to follow. A warrant
based on probable cause
and witnesses.
This is as far as we should
go. Period.
The second part of that is
more rules and more laws
and more regulations are not
going to fix this.
You know, we had some cognitive dissonance. I appreciate
your comments. We had some cognitive dissonance about
this because, you know, we tend to be a fairly
libertarian-ish group. We tend
not to like formal powers of structure. That's why
I was kind of saying we need to kind of hold our nose
and eat our lima beans. And even if you hate
these things, this is a
set of value levers. And when you're in the middle of a
jail breaking an iPhone and you don't think about how
it should or shouldn't be, you find a way to get it
done. And I still carry cognitive dissonance over this.
You know, I'm the guy who called PCI the No Child Left
Behind Act. The last thing I want to do is push more
and more regulation and brittle things.
I think the spirit of this is using every available
mechanism. And we haven't tried these yet.
And I'm not sure they'll work. You know, I had some
very critical people say, you need to be
transgressive. You need to break the law. You got to be
more aggressive. We got to take anonymous up ten
notches or something like that. And I thought
historically about things. I'm not trying to equate
this to it. But, you know, the Black Panthers
were very aggressive. They were
scaring people. They weren't really causing
substantive legal change.
And then you had the Civil Rights Movement, which
was more moderate. And
engaging in system. And it's unclear
if one could have succeeded without the other.
But I don't
want to leave these options on the table. And
even if I get my butt kicked, I'm not going to
get kicked. And we're ridiculed and made fun of.
That's okay because we have to try something.
And I think that's why we want to have the
Hawker Constitutional Congress. We really want to establish
what are our first principles and how do we avoid becoming
the monsters that we fight.
So I'm hyper-conscious of your concern.
I share it. And
I also just want to connect the dots
with some things that are happening. EFF does their
part. There's also Fork the Law.
There's also a whole bunch of amicus briefs written for
Weave to try to work with the judicial process.
And there's a whole bunch of law professors here.
And the thing that broke my
heart was none of those little groups were
talking to each other. So some of the pieces
contradicted each other. So even if it's just
aligning and getting critical
mass on the existing initiatives
to force multiply them, that's
reasonable.
I think some of us are more angry and
more aggressive than others. And
I hope that's why we're going to
figure out what we can agree on and make sure
that we keep ourselves honest. It's going to take a lot
of work. So I do share your concerns. Thank you.
Hi. My name is Sarah
Jeffrey, and I actually am really
very, very grateful that you brought up
Weave's case. I do prison support
for Weave,
Andrew, I mean, Jeremy Hammond,
Barrett Brown, and Bradley Manning.
And all four of them have a
CFAA charge in their
rap sheet. I was at the defense of
Bradley Manning, and for about
six hours of the first day, they were discussing
the difference between an EXC file,
installable file, and a shortcut of
a CD on a given drive.
Action! Let's block it!
What?
Action! Let's block it!
Okay. And this is part of a
court-martial of one of the biggest
leaks. Okay. Get the
fuck out.
This is important.
The reason I'm not
backing down is because
every single one of you here are
being persecuted like
the actual activists. And
Weave has had
60
days of admin segregation for
tweeting from prison.
Barrett Brown has detoxed
opiates without medication.
Jeremy Hammond has been in over
80 days of confinement for making
inmates create anonymous
paraphernalia
during their art projects.
Bradley Manning has been
tortured for six months
naked, 23 hours a day.
And they call them a hacker, just like
the way they did with Snowden.
And they're using the word
WGET as a hacker tool.
These are all
in the actual court proceedings.
You can read them from Freedom Press Foundation.
They're coming
for all of you. So you guys
need to put the egos aside.
That's all I wanted to say.
Thank you. Thank you for your comments.
That falls
directly in line with the discussion
on the preservation of security research.
As a security researcher,
I've done things in the last couple of years
which I may not want to do today
just because of
the chance of the broad
application of CFAA.
So, thank you.
Hi. You guys have talked a lot
about legislation that you don't want
governments to institute
against hackers. What about
any legislation that you might want to institute
that would
provide a counteracting effect?
Like, for example, holding
vendors of vulnerable system
systems more accountable.
I'm not sure if people heard that.
I had a little echo there, but
again, that cognitive dissidence is ever
present in my mind that I don't want to
necessarily add a ton more legislation.
It's more about fixing existing ones
whenever possible. I think we should use it
sparingly. But one of the things we've realized
is, and there's a lot of things that divide us,
back to the prior comment.
Some people are like, why are you talking about
an amicus brief for Weave? He's a raging
troll asshole or something like that. And I said,
it doesn't matter if you think he's a raging troll asshole,
even if you don't like him.
It's like the people versus Larry Flint.
You didn't have to like pornography to like free speech.
And case law does
dictate things. That's one of the reasons we have to
hack some of the judicial process and
participate in the working groups
that are looking to rev CFAA.
And it's not just for even the criminalization
research. People are looking at defending themselves
with hackback or active defense or various
things that are also controversial.
But one of the things that a lot of us that do application
security realize is there's absolutely no software
liability whatsoever.
So if a toaster burns your house down, you can sue
the people who make the toaster.
If a Therac-35 machine gives you a lethal dose of cancer,
you can't sue and win.
And I don't think, there's lots of good reasons for that.
I've done a ton of research as to why the U.S.
doesn't want to add more regulation and hurt
GDP and competitive edge
in other places.
But there's plenty of precedent in medical devices
you have the FDA. In cars, you have the
five-star crash rating system.
So it's about shoehorning in and hacking existing
regulations and laws to maybe just
tweak them instead of creating them from whole cloth.
Doug?
Two quick questions. Pick what you want.
Most of the populations
you're talking about trying to channel here
tend to prefer true democracy.
One person, one voice,
one vote. What we work in
for the most part to do legislation is
representative democracy, which is a very different
system. How do you plan to resolve that
without alienating people?
And then the other one is, got a lot of people
standing up here. It's awesome. I love to see
that, too. How are you going to keep those same
people as enthusiastic at six months, 12 months,
18 months, 24 months?
Great points, great questions.
I think the reason we want to have
that constitutional Congress is we want to decide
how we're going to make decisions. You decide how to
decide. And there'll be tradeoffs to all those.
And anything volunteer-esque
is going to
have its ups and downs. I think the
reason that this will have some staying power, especially
if we get some early movement and wins,
is regardless of your
motivational structure, if you're altruistic,
if you want to do good, there's plenty
of built-in motivation to do it. But even if you're a
narcissistic vulnerability pimp,
once we have this hearts and minds thing
in place, and I was talking to someone who was like, I don't care,
I just want to get famous. And I said, okay, well,
how much access and relationship
do you have with CNN or Vanity Fair
or whatnot? We could be a force
multiplication and platform as a service
for broadcasting good work.
So there's some built-in incentives
regardless of your motivational structure
to get some
benefit out of this. And I think because we're
so frustrated and because there is no
other line of defense and it falls
to us, I'm hoping that that gets
a little bit of movement. Plus we just need to get an early
win. And I think we have a couple in mind. We've done
a lot of pre-homework.
Did I answer the second question?
Yeah.
So I just
wanted to say
while it is easier to subvert
existing processes, we can use
the same lobbyist
organization or professional board
or whatever to
advocate repeal of existing law
that we disagree with. We don't necessarily
have to just roll with whatever's
there. A voice is a voice.
And we can use that
to repeal law whole cloth.
So for people who have
reservations
about that. That's true.
Absolutely. Thank you.
Again, the choice between two
questions. One is we know
we can save people. Okay, we can
swoop in and rescue
the public. But how do we make this
more public? How do we
shout out that we've done this?
And the second is
if you're familiar with the 501
medical device
registration and where that fits in
in the class 2
FDA, could you speak to how
we can get software elevated
to even a class 3 device?
Okay.
So I'm not the expert on the medical device
pump. But that's why we've
sought out people like Kevin. In fact, Kevin
does a great job within his scope
and remit. But when I talked to him about
the Bluetooth, just a tiny anecdote
before we run out of time. He said
I said, why do you even need Bluetooth
on an insulin pump?
And he said
it's not like it's a pacemaker where it's
under the scanner. And he said, well, it's the
bacon principle. I said, what the hell
are you talking about? And he said, everything's better
with bacon, everything's better with Bluetooth.
So one manufacturer did it
and then they all had to do it because it was cool.
And what you have is something that's not
medically relevant, that's highly
attackable in a
life-saving situation. So
we need those subject matter experts to answer
the spirit of your question. And that's what we
mean by mapping these. I think the roles
and responsibilities we're hoping each of you can do is once
we've mapped that kill chain for a particular
industry, then we can start iterating.
And the pushback I gave him was
he said, well, Josh, the FDA had a choice between
failing to approve a
medically life-saving technology
or being afraid of a theoretical
hack. And I said,
okay, fine, they had to rubber stamp it.
But they could have also said, by 2015,
anyone putting elective, remotely accessible
technologies onto a medical device will
incur additional scrutiny
for adversarial testing and validation.
There's ways to look at this as
a marathon, even if they couldn't do it with current
things, you keep iterating. I'm not trying
to trivialize it, it's actually far more complicated
than that. But keeping at
it and asking the questions and being the tenacious
hacker that fuzzes that kill chain
and fuzzes the chain of influence, we're going to have a win.
So first of all, I think that
a lot of people, like my mother,
couldn't put together that
hacking is related
to safety. And it was a matter
of teaching her, well, you know,
you have to find these vulnerabilities. When you
find them, then they can be
fixed. And until that point, somebody
could exploit them
without you being aware.
So putting the spin on it being
about the safety of our families
is super important.
And second of all, how will you
prevent an organization
of hackers
from being
open to abuse?
Because I feel like every
time I see hackers organized, they
do things like hoard exploits that
it just doesn't
work out so well.
That's a
concern that's come up often.
One of the things we actually said in our anonymous
research was it was very prone to infiltration
and hijacking. And there were several
governments and political groups
infiltrating and trying to hijack.
One of the things about hackers that's
interesting, I think Quinn Norton said this,
she goes, they're prone to influence
but you can't control them. So we're really hard
to control. It's almost the virtue of us
being so chaotic.
I think this is going to be hard.
Keep bringing these criticisms.
We have time for probably one more question.
But then we're going to go to the
room. We want to flag every single one
of these because we don't want to just try something.
We want to actually succeed at something.
So keep raising these concerns.
Last question.
How fitting that it's Jay Radcliffe.
So guys, this week
I spent all week talking
to media about
a talk I gave at Black Hat
and at B-Sides, which
a software flaw put me
closer to death than I would have liked.
And when I approached
the vendor about this, they said
you should have read the manual
and we're not fixing that.
If you think that
these things are in the future
and that they're coming,
they're not. They're here right now.
And we need to change
these things right now. And I can find
a hundred medical device flaws
and I'm still going to get the same response.
It's going to take
a mass movement. It's going to
take all of us getting on the same
page to make this
problem change.
I can do all these things
but I'm not going to move the rock
an inch forward without
more help.
Exactly like Josh is talking about.
In the media, in lobbying groups,
in places that we haven't been before.
And there's no reason
that we can't get together
and move that system.
Thank you.
So we're out of time
but this conversation
doesn't have to stop.
Please join us for Q&A.
In the Chill Out Lounge
immediately after this talk.
Thank you.
